This past summer
saw developments relating to peer-to-peer (“P2P”) music file sharing.
Of most significance, on June 25, 2003, the Recording
Industry Association of America ("RIAA"), a trade
group that represents U.S. record companies, announced it would
seek out the heaviest P2P service users and sue them for copyright
infringement [1].
Subsequently on September 8 the RIAA filed
suit against 261 individuals in federal courts across the country.
In order to identify these individuals, the RIAA issued over 1600
subpoenas under the Digital Millennium Copyright Act. The RIAA has
since issued lawsuit notification letters to an additional 204 individuals.

In connection with the recording industry's enforcement effort,colleges and universities have been served with DMCA subpoenas seeking the identity
of students engaged in file sharing on educational networks and
should be aware of their rights and responsibilities in this regard. This Note will describe P2P file sharing, identify some
campus policies to respond to or prevent inappropriate activity,
and suggest possible responses by institutions in receipt of a DMCA
subpoena seeking the identity of alleged copyright infringers using
the institution's computer network.

DISCUSSION:What Is Peer-to-Peer
Sharing?Peer-to-peer
networks consist of users who share information directly with each
other over the Internet without having to log onto a central computer.
In 1999, a Northeastern University student created a software program
called Napster, which allowed its users to trade music and other
data online. In February 2001, however, the United States Court
of Appeals for the 9th Circuit held that Napster, Inc. had committed
contributory copyright infringement by maintaining a central database
of available files and their locations for the program’s users [2].

Following the Napster case, the
recording industry targeted the other major peer-to-peer file sharing
services, including KaZaA, Grokster, Aimster and Morpheus. While
these services are also designed to let people exchange music, movies,
videos and other files over the Internet, they, unlike Napster,
are not themselves directly involved in the actual process of sharing,
but instead merely provide programs that permit the sharing to occur.
A recent federal decision concluded that the companies that provide
these programs are not engaging in infringing activity, because
the programs can also be used for legitimate file sharing – just
as a VCR may be used for both legal and illegal acts [3].

In its effort to protect the intellectual
property of its members, the recording industry is now attempting
to pursue directly individuals who share files of copyrighted material.
Some (though by no means the dominant) percentage of file sharing
occurs in the college and university environment, [4] and
many of the first subpoenas were issued to educational institutions.
Colleges and universities should be prepared to respond if they
receive such subpoenas and should take steps to protect themselves
– and their students – from potential lawsuits.

Peer-to-Peer Sharing Issues for
Universities and CollegesIn
the current legal climate, universities should
be aware of the following P2P file-sharing issues.

Intellectual Property
Issues
Distribution of copyrighted materials over the Internet without
the copyright owner’s permission can be a violation of the Sec. 106 of the Copyright
Act. The DMCA generally protects colleges and universities from
liability for illegal file sharing by their students on university
networks. However, the institution must register with the Copyright
Office and comply with certain other requirements in order to obtain
this “safe harbor” immunity [5].
Moreover, the institution can lose its immunity in some cases if
it knows or should know about specific infringing activity [6].

Other Network IssuesPeer-to-peer sharing
can adversely affect the performance of the computing network in
several ways. File sharing can consume a large amount of bandwidth --
some studies have shown that as much as 60% of all traffic/storage
on university networks may be devoted to file sharing, leaving little
room for more important traffic [7]. Large scale file sharing may also render a network more
susceptible to viruses and privacy violations and may open the door
to hackers. Moreover, excessive P2P sharing on an institution's
network may result in a large volume of DMCA subpoenas, the processing
of which requires use of limited institutional resources.

Recording Industry Concerns
In an October 3, 2002, letter to nearly 2,300 college and university
presidents, the RIAA expressed concern over student “piracy of copyrighted
creative works” and addressed the need for academic institutions
to develop policies to prevent online copyright infringement [8]. Specifically,
the RIAA requested that colleges and universities adopt and implement
policies that:

(1) Inform students of their moral
and legal responsibilities;
(2) Specify what practices are and are not acceptable on yourschool's network;
(3) Monitor compliance; and
(4) Impose effective remedies against violators.

While these requests go beyond the requirements
of the DMCA – which, in particular, does not require an ISP to monitor
its users’ compliance with copyright law – they are an important
indicator of the recording industry's expectations.

What Should A
College or University Consider When Implementing Policy?

Whether for legal, bandwidth management
or other reasons, institutions attempting to deal with these issues
should consider taking some or all of the following steps:

Adopt and inform students and
other usersof
a policy terminating the network privileges of those found to be
infringing copyrights repeatedly and actively enforce that policy
when infringements are identified. Doing so is a prerequisite
to the DMCA safe harbor.

Post the policy on the institution's website
where it is easily accessible to the university community.
In addition, institutions may wish to implement a mechanism that
requires users to prove they have read the policy prior to obtaining
initial access to the institution's network [9].

Educate usersabout
copyright law and give them examples of what they can and cannot
do[10]. Let
them know that it generally is best to assume that all but the oldest
material is copyright protected unless explicitly stated otherwise
and that copyright infringers could face up to $150,000 per infringement,
as well as potential criminal penalties in some cases.

Recognize that not all P2P file sharing
is copyright infringement; some P2P sharing may have legitimate
academic use, and your policy should acknowledge the academic benefits
of legitimate P2P sharing.

Consider implementing packet-shaping
or other technical means of limiting the amount of filesharing that can
occur on the network.

What If An Institution Receives a DMCA Subpoena?The
DMCA gives copyright owners the ability to subpoena internet service
providers (including colleges and universities operating computer
networks) for “information sufficient to identify the alleged infringer”
[11]. Copyright
holders need not file a lawsuit first; the copyright holder need
only apply to the clerk of any United States district court(see discussion at footnote 15 below).
The application
must include the following:

a signature of a person authorized to act
on behalf of the copyright owner;

identification of the copyrighted work
claimed to have been infringed;

identification of the material claimed
to be infringing (including information reasonably sufficient to
allow the service provider to locate the material);

information reasonably sufficient to allow
the service provider to locate the complaining party;

a statement that the complaining party
has a good faith belief that the use of the material is not authorized;

a statement that the information in the
application is accurate;

a proposed subpoena; and

a sworn declaration that the purpose of
the subpoena is to identify the alleged infringer and that the information
obtained will be used only to protect copyright rights [12].

A college or university that receives such
a subpoena must “expeditiously disclose to the copyright owner or
person authorized by the copyright owner the information required
by the subpoena, notwithstanding any other provision of law …” [13]. Before doing so,
however, theinstitution should confirm that
the subpoena complies with the requirements listed above. If it does not, compliance with the subpoena
would not be required by the DMCA and therefore presumably would
be prohibited by the Family Educational Rights and Privacy Act (“FERPA”)
[20 U.S.C. 1232(g)(b)(2)(B)][14]. Whether a subpoena that does comply
with the DMCA requirements must also comply with the additional
requirements of FERPA – including notification of the affected students
in advance of compliance – is an open question [15].Institutions
would be wise to continue to insist on compliance with FERPA until
this issue is resolved.

FN4. Statement of Hon. Lamar Smith, Chairman, Subcommittee of Courts, the Internet,
and Intellectual Property, House Judiciary Committee, February 26, 2003,
indicating that research by one P2P file sharing service indicated that
16% of all files available at any given moment are located at IP addresses
managed by U.S. educational institutions; and that users trading from
networks managed by educational institutions accounted for 10% of all
users on the service at any given moment.

FN6.
For an excellent discussion of types of copyright infringing
activity and the potential liability of students engaged in peer-to-peer
file-sharing, see "Background
Discussion of Copyright Law and Potential Liability for Students Engaged
in P2P File Sharing on University Networks", issued on August 8, 2003 by the
American Council on Education (ACE). This article was issued as part of the
education effort of the Joint Committee of the Higher Education and Entertainment
Communities, formed to work collaboratively toward solutions to the
copyright problems caused by unauthorized peer-to-peer file sharing on
college campuses.

FN8. RIAA
Letter to College and University Presidents, October 3, 2002.
Following the RIAA letter, on October 8, 2002 the presidents of 6 leading
higher education associations wrote a letter to the presidents of U.S. colleges
and universities referencing the RIAA letter and urging them to join in "addressing
the inappropriate use of campus facilities to disseminate copywritten
materials".

Senator
Sam Brownback of Kansas recently introduced Senate
Bill 1621, the "Consumers, Schools, and Libraries Digital Rights
Management Awareness Act of 2003", Sec. 5 of which states in part
"Notwithstanding any other provision of law, an Internet access service
may not be compelled to make available to a manufacturer of a digital
media product or its representative the identity or personal information
of a subscriber or user of its service for use in enforcing the
manufacturer's rights relating to use of such product on the basis of a
subpoena or order issued at the request of the manufacturer or its
representative except under a valid subpoena or court order issued at the
request of the manufacturer or its representative in a pending civil
lawsuit or as otherwise expressly authorized under the Federal Rules of
Civil Procedure or the civil procedure rules of a state.

Verizon has appealed this decision and argument was
held before the U.S. Circuit Court of Appeals for the District of Columbia
on September 16. A comprehensive case archive, including links to
pleadings and briefs, is available at http://www.eff.org/Cases/RIAA_v_Verizon/.

FN15. In
response to RIAA subpoenas it received issued by the U.S. District Court
for the District of Columbia, Boston College moved to quash enforcement of the
subpoenas on the ground that they did not comply with Federal
Rule of Civil Procedure 45(a)(2) and (b)(2) because they were not
issued from the court for the district in which the production of the
documents named in the subpoena were to produced, or alternatively by a
court within 100 miles of the place of production. Boston College
further argued that because the subpoenas were not lawfully issued, it
could not disclose the information pursuant to FERPA Sec. 1232g(b)(2)(B);
and sought a protective order stating that if and when the RIAA served it
with lawfully issued subpoenas, those subpoenas must give Boston College
sufficient time to give reasonable advance notice to any student whose
education record may be produced. The U.S. District Court for
Massachusetts granted Boston College's motion to quash on the basis of FRCP
45(a)(2) and (b)(2).